On Sun, 2003-08-17 at 18:10, Roland Lieger wrote:
> Hello,
>
> Thanks for creation of Spam-Assassin. It is a great tool that really cuts
> down the amount of junk mail I get. Great work!
>
> There is one feature (ruleset) that I would like to see added:
> _Very_simple_ malware (virus/worm/etc.) detection based on filenames. I
> am not talking about fancy code analysis for all types of OS and machine
> architectures (which is definitly a huge project in its own and requires
> lots of manpower to keep up to date). What I want is, that Spam-Assassin
> recognizes 'creative' filenames in attachments like "coolimage.jpg.exe"
> or "nicesound.mid.cmd" that are designed to lure people on Windows
> systems (which offers the dangerous feature to hide the extensions of
> known file types, making the file names appear as "coolimage.jpg" or
> "nicesound.mid") to doubleclick on the attachment meaning to view the
> image or hear the tune while in reality starting an program (which then
> usually does something nasty).
>
> There are three cases that I would want treated:
> 1) The simple case as above "coolimage.jpg.exe"
> 2) You can also hide the extension using lots of white space, as in
> "nicesound.mid <lots of white space here> .cmd". Many programs
> don't display the full filename, but will display only "nicesound.mid"
> plus lots of white space (which give no visual hint) and maybe a "..."
> somewhere at the end of the line far, far away from the users field
> of vision (and center of attention).
> 3) 'Creative' use of the Content-Type of an attachment like:
>
> (where the name may or may not be on the same line as the Content-Type
> tag, lots of space might be used to indet the name if it is on a seperate
> line)
> This too causes many programs to display a generic sound icon for the
> attachment, while a doubleclick obviously starts a program ;(
>
> Of course all these 3 types are not strictly illegal and could in theory
> also appear in ham, but I dare say that they are strong indications for
> emails that try to trick people into running programs that they did not
> really intend to run.
>
> All three tricks work only against Windows machines and are not dangerous
> for users of other operating systems, but even as a Linux user I am very
> annoyed if I have to sort out all this junk.
>
> I am aware that this feature is not directed against spam-mail in the usual
> meaning of the word, but it is directed against "something that I definitly
> don't want in my inbox", so I would like to ask you to include this feature
> in Spam Assassin.
It's unsolicited, it's both automated and bulk, and it's email, I'd say
it's spam.
> Valid extensions for Windows programs files (that should be found) are:
> .com, .exe, (machine programs)
> .scr (Screen Saver, just a regular machine program with a fancy name)
> .bat, .cmd, (shell scripts / batch files)
> .pif, (program information file, obsolete, but still works to run a prg.)
> .vbs, .vbe, (visual basic, requires office but thats frequent
> enough to be used)
> .js, .jse, (java)
> .wsf, .wsh, (Windows scripting file)
> .ocx (ActiveX-control)
> .msc (Microsoft System Console configuration plugin)
> possibly others...
>
> File Types that might be used to disguise the programs:
> Images:
> .bmp, .wbmp, .gif, .jpeg, .jpg, .png, .ico, .img,
> .j2k, .jp2, .psd, .psp, .sgi, .tif, .tiff, .tga
> Movie:
> .avi, .mov, .mpg, .mpeg, .qt
> Sounds:
> .aif, .aiff, .snd, .mp3, .wav, .mid, .midi, .ogg
> Office:
> .doc, .dot, .xls, .xlt, .pps, .ppt,
> Text:
> .txt, .htm, .html, .pdf, .rtf
> Archives:
> .arc, .arj, .gz, .hqx, .sit, .zip, .z,
> .lzh, .tar, .tgz, .uue, .uu
> possibly others...
> Don't block all files with multiple extensions. They are too common in ham!
>
> Content Types that might be used to disguise programs:
> C
> C
> C
> C
> possibly everything but
> C
>
> I am sorry to say that I am not good enough with Perl to come up which a
> ruleset myself, but I would like to encourage you to create such a set.
>
> Yours,
> Roland Lieger
> [EMAIL PROTECTED]
>
>
> My feeble attempts for a ruleset...
> body DISGUISED_PROGRAM
> /\.(gif|jpg|jpeg|png|ico|img|tif|tiff|bmp|wbmp|j2k|jp2|psd|psp|sgi|
> avi|mov|mpg|mpeg|qt|
> aif|aiff|snd|mp3|ogg|wav|mid|midi|
> doc|dot|xls|xlt|pps|ppt|
> txt|htm|html|pdf|rtf|
> arc|arj|gz|hqx|sit|zip|z|lzh|tar|tgz|uue|uu)\s{0,40}\.
>
> (com|exe|src|bat|cmd|pif|vbs|vbe|js|jse|wsf|wsh|ocx|msc)\b/i
> describe DISGUISED_PROGRAM Uses a strange filename/extension to trick you
> into running a program
>
> body MISLEADING_CONTENTTYPE
> /Content-Type.{0,4}(image|audio|video|text)\s{0,30}name.{0,5}\.
>
> (com|exe|src|bat|cmd|pif|vbs|vbe|js|jse|wsf|wsh|ocx|msc)\b/i
> describe MISLEADING_CONTENTTYPE Misleading Content-Type chosen to
> trick you into running a program
>
>
I haven't linted it but that looks pretty comprehensive to me.
Doesn't it need to be rawbody to get into the mime boundaries?
Consider splitting the disguised program rule up at different scores,
for example
filename.zip.exe
is a lot more likely to be genuine than
filename.jpg .vbs
Looks like a good rule to me
--
Yorkshire Dave
--
Scanned by MailScanner at wot.no-ip.com
-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
